Skip to main content

Juniper SRX : Proxy ARP on Juniper SRX

Proxy ARP (Address Resolution Protocol) is a technique by which a intermediate network device like router replies to ARP request for a given IP address that is not part of local network. 

The router acts as a proxy for the destination device to which the host wants to communicate and provides its own MAC address as the reply.

Note: Proxy ARP can help devices on a network reach remote subnets without the need to configure routing or a default gateway.

Disadvantages of Proxy ARP
  • Proxy ARP can lead to security and performance issues on the network. 
  • It poses a security risk by making the network vulnerable to ARP spoofinf attack. In attacks, malicious devices can impersonate proxies. Intercept or modify traffic between devices.
  • It may introduce inconsistency into the network’s topology. Addressing scheme by concealing device locations and identities.
Let see when and how proxy ARP is configured in Juniper by answering below questions which often comes to our mind

When do you configure Proxy ARP?
How do you check if Proxy ARP is configured?
How do you configure Proxy ARP?


When to configure Proxy ARP


Proxy ARP should be configured for the following scenarios:


1.  When NAT addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface of SRX firewall (Source NAT and Static NAT scenario).


2.  When NAT addresses is in the original destination address entry in the DST-NAT rules are in the same subnet as that of the ingress interface   (Destination NAT scenario).


Example:
Below is a simple explanation of Proxy ARP for the Static NAT Scenario. 




The above diagram shows the static NAT configured on SRX firewall, when the web client try to access the Web server The Upstream router needs to forward the packet to the DST-IP address 1.1.1.2 hence it will send an ARP Request to SRX firewall for the IP address 1.1.1.2, If Proxy ARP is not configured on the SRX, the SRX will not reply to the ARP Request as it does not have this IP address configured on the ingress interface. 

The ARP request will get timeout and the packet will be dropped at the Upstream router itself.  However, if Proxy ARP is configured on ingress interface for the IP 1.1.1.2, then when the Upstream router sends a ARP Request out for the IP address 1.1.1.2, the SRX will respond to the ARP Request on behalf of server by providing the MAC address of its own ingress interface faking that the MAC address is of the web sever itself.  Then the Upstream router sends the packet to the Destination IP address 1.1.1.2 using this MAC address, SRX in turn will forward that packet to web server.

How to check if Proxy ARP is enabled

Run the following configuration mode command:


root# show security nat proxy-arp 


Below is an example of a Proxy ARP configuration.  (If nothing is returned with the above command, then Proxy ARP is not configured.)

root# show security nat proxy-arp
interface ge-0/0/0.0 {

.
.
    address {
        1.1.1.2/32;
            }
}


How to configure Proxy ARP


Below is the instructions for configuring Proxy ARP 


1. Check if the Proxy ARP configuration is present or not:

# show security nat proxy-arp


2. Identify the address for which the Proxy ARP is needed.


3. If Source NAT / Destination NAT is configured for IP 1.1.1.2, then the Proxy ARP will be configured for the IP address 1.1.1.2.
4. Select the interface to which the NAT is performed.

This decision is based on the IP addresses obtained in the previous step.
IP 1.1.1.2 is in the IP network of the interface ge-0/0/0.0, verify the IP address of the interface ge-0/0/0.0:

#show interfaces ge-0/0/0.0
family inet {
     address 1.1.1.1/24;
}


The IP 1.1.1.2 belongs to the same network as 1.1.1.1/24.


5. Configure the Proxy ARP.

                     Address chosen is: 1.1.1.2
                     Interface chosen is: ge-0/0/0.0


set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.2/32

To verify:

# show security nat proxy-arp
interface ge-0/0/0.0 {
    address {
        1.1.1.2/32;
    }
}


Another Example:

The Destination NAT example is same as the Static NAT example above. 


Below is a Source NAT pool example. when the Source NAT is configured for an IP which is not the External interface IP, but in the same network as that of External Interface IP. 


In this example, Source NAT is configured with an IP pool (1.1.1.3/32 - 1.1.1.4/32), which is on the same subnet as the SRX interface (1.1.1.1/24).  

The Client requires their IP address 192.168.1.1 to be translated to 1.1.1.3/32 or 1.1.1.4/32 (from the Source NAT Pool). In this case, Proxy-ARP needs to be configured for the interface ge-0/0/0.0, mapping the interface MAC to the IP address 1.1.1.3 and 1.1.1.4:

root# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.2
root# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3


Note of caution: Be mindful while enabling proxy arp as it comes with security risk

Comments

Popular posts from this blog

MTBF MTTR MTTD